AWS Certified Solutions Architect – Associate (SAA-C02) — Question 571

A company has a three-tier web application that is deployed on AWS. The web servers are deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets.
A solutions architect needs to integrate the web application with the appliance to inspect all traffic to the application before the traffic reaches the web server.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a Network Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection.
• B. Create an Application Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection.
• C. Deploy a transit gateway in the inspection VPC. Configure route tables to route the incoming packets through the transit gateway.
• D. Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance.

Correct answer: D

Explanation

Gateway Load Balancer (GWLB) is designed specifically to simplify the deployment, scaling, and management of third-party virtual appliances on AWS. By using GWLB along with Gateway Load Balancer endpoints (GWLBE), traffic can be transparently routed to the firewall appliances for deep packet inspection with minimal operational overhead. Other load-balancing options (ALB/NLB) or Transit Gateway configurations either do not support this transparent 'bump-in-the-wire' architecture or require significantly more complex routing and management.